Ethereal-users: Re: [ethereal-users] Filtering SYN Packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 28 Oct 1999 13:04:58 -0700 (PDT)
> To only *display* packets with a SYN flag, you use:
> frame[47 : 1] == 0x02

...assuming that you have a 14-byte link-layer header and a 20-byte IP
header; if you're not using Ethernet, or there are IP options, that's
not necessarily the case.

It turned out that

	(tcp[13:1] & 0x02) != 0

was invalid for reasons other than "you can't subscript 'tcp'"
(unfortunately, as the error was "Unable to parse filter string", it
didn't say what the reason was - I think we don't handle arbitrary
arithmetic expressions in display filters) - and, besides, that gets all
packets with SYN, so

	tcp[13:1] == 0x02

should do the trick (regardless of how big the link-layer or IP header
are).